FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-16-2010, 07:21 AM
ESGLinux
 
Default how to set permissions to files with a patern in the file hame

Hi All,*
Im a bit newbie with SELinux (nothing more than watch to sealert -b and do what it says...) and now I want to learn more about it because I have a problem:
I need to set the permissions to files that are going to be created, but this permissions depends on the name of the file. Is it possible?

by the way, any doc about SELinux for begginers? the oficial doc scares ;-)
Thanks in advance,*
ESG


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-16-2010, 08:27 AM
Dominick Grift
 
Default how to set permissions to files with a patern in the file hame

On 02/16/2010 09:21 AM, ESGLinux wrote:
> Hi All,
>
> Im a bit newbie with SELinux (nothing more than watch to sealert -b and do
> what it says...) and now I want to learn more about it because I have a
> problem:
>
> I need to set the permissions to files that are going to be created, but
> this permissions depends on the name of the file. Is it possible?

I do not believe this is possible.
>
> by the way, any doc about SELinux for begginers? the oficial doc scares ;-)

http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
>
> Thanks in advance,
>
> ESG
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-16-2010, 09:05 AM
ESGLinux
 
Default how to set permissions to files with a patern in the file hame

2010/2/16 Dominick Grift <domg472@gmail.com>

On 02/16/2010 09:21 AM, ESGLinux wrote:

> Hi All,

>

> Im a bit newbie with SELinux (nothing more than watch to sealert -b and do

> what it says...) and now I want to learn more about it because I have a

> problem:

>

> I need to set the permissions to files that are going to be created, but

> this permissions depends on the name of the file. Is it possible?



I do not believe this is possible.

I thought it is the same as you can see in the file*/etc/selinux/targeted/contexts/files/file_contextsfor example/mnt(/[^/]*) * *-l * * *system_ubject_r:mnt_t:s0

with a pattern you assing a context. So I thought you can use this to assing perm or modify the access to the files.
Am I wrong?*

>

> by the way, any doc about SELinux for begginers? the oficial doc scares ;-)



http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
Thanks, Im going to study this doc,*

ESG*

*

>

> Thanks in advance,

>

> ESG

>

>

>

>

> --

> selinux mailing list

> selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux






--

selinux mailing list

selinux@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-16-2010, 09:20 AM
Dominick Grift
 
Default how to set permissions to files with a patern in the file hame

On 02/16/2010 11:05 AM, ESGLinux wrote:
> 2010/2/16 Dominick Grift <domg472@gmail.com>
>
>> On 02/16/2010 09:21 AM, ESGLinux wrote:
>>> Hi All,
>>>
>>> Im a bit newbie with SELinux (nothing more than watch to sealert -b and
>> do
>>> what it says...) and now I want to learn more about it because I have a
>>> problem:
>>>
>>> I need to set the permissions to files that are going to be created, but
>>> this permissions depends on the name of the file. Is it possible?
>>
>> I do not believe this is possible.
>>
>
> I thought it is the same as you can see in the
> file /etc/selinux/targeted/contexts/files/file_contexts
> for example
> /mnt(/[^/]*) -l system_ubject_r:mnt_t:s0
>
> with a pattern you assing a context. So I thought you can use this to assing
> perm or modify the access to the files.
>
> Am I wrong?

Well you can use file context specifications to restore contexts of
files to the specified context but i believe this often will not work
for creating files. Unless you use restorecond. Restorecond is a daemon
that monitors the filesystem and restores locations to the specified
contexts as soon as they are created.

But to really create a file with a specified context requires a file
type transitions. File type transitions depend on which process type
creates which class of file object where.

So any example of a type transition:

if process with type bla_t creates a file in a directory with type
hello_t, than type transition to type bla_hello_file_t

if a process with type bla_t creates a sock_file in a directory with
type hello_t, than type transition to type bla_hello_sock_file_t

if a process with type bla_t creates a file in a directory with type
bye_t, than type transition to type bla_bye_file_t

if a process with type foo_t creates a dir in a directory wuth type
hello_t, than type transition to type foo_hello_dir_t

So there are possibilities but you cannot use file names to specify type
transitions. You can use file names for file context specifications
however but that requires that you enable and configure restorecond, and
it does not actually create the objects with the specified type. The
restorecond daemon just restores the context of a file to the specified
context as soon as it is created.

An example of restorecond is how it runs in Fedora 12 in a gnome
session. (restorecond -u)

>
>
>>>
>>> by the way, any doc about SELinux for begginers? the oficial doc scares
>> ;-)
>>
>> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
>
>
> Thanks, Im going to study this doc,
>
> ESG
>
>
>
>
>>
>>>
>>> Thanks in advance,
>>>
>>> ESG
>>>
>>>
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-17-2010, 07:27 AM
ESGLinux
 
Default how to set permissions to files with a patern in the file hame

ESG, Take a step back and explain to us what process is creating these files. *What procesess are you

trying to prevent from reading these files?


any process that can create a file, touch, vim...
*
Who is creating the files?

any user that can log in the system. *


If it is one process creating the files then you can add SELinux awareness to the tool and get the files created with the "correct" context.


Hope my answer explain a bit more the problem*
Thanks*
ESG

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-17-2010, 12:18 PM
Daniel J Walsh
 
Default how to set permissions to files with a patern in the file hame

On 02/17/2010 03:27 AM, ESGLinux wrote:
>>
>>
>>
>> ESG, Take a step back and explain to us what process is creating these
>> files. What procesess are you
>> trying to prevent from reading these files?
>>
>> any process that can create a file, touch, vim...
>
>
>
>> Who is creating the files?
>>
>
> any user that can log in the system.
>
>>
>> If it is one process creating the files then you can add SELinux awareness
>> to the tool and get the files created with the "correct" context.
>>
>
> Hope my answer explain a bit more the problem
>
> Thanks
>
> ESG
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
What is the secutity separation on the files than. Can you give me an more definition of what these files are.

Are you trying to allow a file to be created and depending on its name, it can be shared by a confined service?

You have not explained what your security goal is.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-18-2010, 08:51 AM
ESGLinux
 
Default how to set permissions to files with a patern in the file hame

> selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux

What is the secutity separation on the files than. *Can you give me an more definition of what these files are.



Are you trying to allow a file to be created and depending on its name, it can be shared by a confined service?



You have not explained what your security goal is.

i´ll try to explain.
I have a big directory with thousands of files. All of this files match a pattern in the file name (files that don´t match don´t mind). What I want is that when a new file is created, the users or groups that can access the file are already fixed (is like putting g+s to a directory and all the files created have the directory group)

What I want, is to simulate this:*http://en.wikipedia.org/wiki/Resource_Access_Control_Facility
Look at this: "In addition to being one of the most mature and scalable security monitors in computing, it has some interesting features that are not often found in*Microsoft Windows*or*Unix*environments. It can, for example, set permissions for file patterns*— that is, set the permissions even for files that do not yet exist"


is this possible to simulate with SELinux or am I totally wrong?
I hope now it will clearer
Greetings and thaks for your answers
ESG




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org